[PATCH 2/2] test/py: efi_secboot: adjust secure boot tests to code changes
Ilias Apalodimas
ilias.apalodimas at linaro.org
Wed Feb 16 10:52:21 CET 2022
On Wed, 16 Feb 2022 at 04:20, AKASHI Takahiro
<takahiro.akashi at linaro.org> wrote:
>
> Heinrich,
>
> We (I and Ilias) are still discussing on this patch.
> I don't think it appropriate to merge it (in -rc2) at this point.
I think it's fine to keep this as is since it's actually testing for a
case that the patch fixed. I'll send a patch updating the description
though.
Cheers
/Ilias
>
> -Takahiro Akashi
>
> On Fri, Feb 11, 2022 at 09:37:50AM +0200, Ilias Apalodimas wrote:
> > The previous patch is changing U-Boot's behavior wrt certificate based
> > binary authentication. Specifically an image who's digest of a
> > certificate is found in dbx is now rejected. Fix the test accordingly
> > and add another one testing signatures in reverse order
> >
> > Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> > ---
> > changes since RFC:
> > - Added another test cases checking signature hashes in reverse order
> > test/py/tests/test_efi_secboot/test_signed.py | 30 +++++++++++++++++--
> > 1 file changed, 28 insertions(+), 2 deletions(-)
> >
> > diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py
> > index 0aee34479f55..cc9396a11d48 100644
> > --- a/test/py/tests/test_efi_secboot/test_signed.py
> > +++ b/test/py/tests/test_efi_secboot/test_signed.py
> > @@ -186,7 +186,7 @@ class TestEfiSignedImage(object):
> > assert 'Hello, world!' in ''.join(output)
> >
> > with u_boot_console.log.section('Test Case 5c'):
> > - # Test Case 5c, not rejected if one of signatures (digest of
> > + # Test Case 5c, rejected if one of signatures (digest of
> > # certificate) is revoked
> > output = u_boot_console.run_command_list([
> > 'fatload host 0:1 4000000 dbx_hash.auth',
> > @@ -195,7 +195,8 @@ class TestEfiSignedImage(object):
> > output = u_boot_console.run_command_list([
> > 'efidebug boot next 1',
> > 'efidebug test bootmgr'])
> > - assert 'Hello, world!' in ''.join(output)
> > + assert '\'HELLO\' failed' in ''.join(output)
> > + assert 'efi_start_image() returned: 26' in ''.join(output)
> >
> > with u_boot_console.log.section('Test Case 5d'):
> > # Test Case 5d, rejected if both of signatures are revoked
> > @@ -209,6 +210,31 @@ class TestEfiSignedImage(object):
> > assert '\'HELLO\' failed' in ''.join(output)
> > assert 'efi_start_image() returned: 26' in ''.join(output)
> >
> > + # Try rejection in reverse order.
> > + u_boot_console.restart_uboot()
> > + with u_boot_console.log.section('Test Case 5e'):
> > + # Test Case 5e, authenticated even if only one of signatures
> > + # is verified. Same as before but reject dbx_hash1.auth only
> > + output = u_boot_console.run_command_list([
> > + 'host bind 0 %s' % disk_img,
> > + 'fatload host 0:1 4000000 db.auth',
> > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
> > + 'fatload host 0:1 4000000 KEK.auth',
> > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
> > + 'fatload host 0:1 4000000 PK.auth',
> > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
> > + 'fatload host 0:1 4000000 db1.auth',
> > + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db',
> > + 'fatload host 0:1 4000000 dbx_hash1.auth',
> > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx'])
> > + assert 'Failed to set EFI variable' not in ''.join(output)
> > + output = u_boot_console.run_command_list([
> > + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""',
> > + 'efidebug boot next 1',
> > + 'efidebug test bootmgr'])
> > + assert '\'HELLO\' failed' in ''.join(output)
> > + assert 'efi_start_image() returned: 26' in ''.join(output)
> > +
> > def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env):
> > """
> > Test Case 6 - using digest of signed image in database
> > --
> > 2.32.0
> >
More information about the U-Boot
mailing list